A phishing attempt at the Australia-based pension provider Spirit Super has led to the compromise of certain personal details. After an employee’s email account was hacked, the ‘super fund’ acknowledged that customer data was compromised on May 19, 2022.
According to the inquiry, the incident involved “unauthorized access to a mailbox holding personal data,” which included names and other sensitive information. Spirit Super revealed that around 50,000 people are affected. However, Spirit Super is responsible for managing $26 billion in assets on behalf of 325,000 members in Australia.
A press statement from the firm reads: “The personal data that may have been compromised is similar to some information provided in an annual statement, including names, addresses, ages (as at 2019 and 2020), email addresses, telephone numbers, member account numbers, and member balances (as at 2019 and 2020).”
“It is important to note that this data DOES NOT include dates of birth, government identification numbers (such as tax file numbers or driver’s license details), or any bank account details.”
Spirit Super believes the attack was engrossed in a wider phishing effort rather than being targeted. The information provided by the super fund unveiled that it was a case of human mistake during a phishing email campaign masquerading as official communication. This was not the consequence of a serious security flaw or a technological failure. A staff member’s password was compromised due to a fraudulent email.
According to Spirit Super, the victim’s inbox was hacked despite the use of multi-factor authentication (MFA). It further said that it is conducting a comprehensive investigation to determine the effect of the event, which would include evaluating account activity and tightening account safeguards.
Spirit Super notified relevant authorities, including the Privacy Commissioner. It is also taking proactive actions to tighten its IT security and avoid future risks of cyber incidents. The company has contacted anybody affected by the hack. It is not thought that those who have not received communication have been affected.